Please amend the present application as follows: 
Claims 

The following is a copy of Applicant's claims that identifies language being 

added with imderlining (" and language being deleted with strikethrough (" 

as is applicable: 

1 . (Original) An apparatus for performing network routing, the apparatus 
comprising: 

authentication logic configured to receive packets sent from a source agent to 
an endpoint of a tunnel and to determine whether a security association of a packet 
received corresponds to said source agent, the tunnel being configured by said source 
agent in accordance with a network protocol; 

decision logic configured to make a routing decision for each authenticated 
packet that is constrained based on the security association of the authenticated 
packet; and 

routing logic configured to select a routing destination for each authenticated 
packet and to route the authenticated packet to the selected routing destination, the 
routing destination selection being based at least partially on said routing decision. 

2. (Original) The apparatus of claim 1, wherein the routing destination 
selection is based solely on said routing decision. 

3. (Original) The apparatus of claim 1, further comprising: 
decapsulation logic configured to decapsulate received packets, wherein when 

the decapsulation logic decapsulates a packet, the security association of the packet is 
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preserved and contents of a payload of an authenticated packet are routed to the 
selected routing destination. 

4. (Original) The apparatus of claim 1, wherein the network protocol is 
hitemet Protocol Security (IPSec) Protocol (IPSEP). 

5. (Currently amended) The apparatus of claim 1, wherein the network 
protocol is a public n e twork protocol. 

6. (Currently amended) The apparatus of claim 1, wherein the network 
protocol is a private n e twork protocol. 

7. (Original) The apparatus of claim 1, wherein said routing decision to 
route at least a portion of contents of a payload of an authenticated packet to a layer 3 
device, wherein layer 3 corresponds to a particular layer of Open Systems 
Interconnect (OSI) networking model. 

8. (Original) The apparatus of claim 7, wherein the layer 3 device is a 

router. 

9. (Original) The apparatus of claim 1 , wherein said routing decision is a 
decision to route at least a portion of contents of a payload of an authenticated packet 
to a layer 2 device, wherein layer 2 corresponds to a particular layer of Open Systems 
Literconnect (OSI) networking model. 



10. (Original) The apparatus of claim 9, wherein the layer 2 device is a 

switch. 

11. (Original) The apparatus of claim 10, wherein the switch is comprised 
by a Virtual Local Area Network (VLAN). 

12. (Original) The apparatus of claim 1, wherein the decision made by the 
decision logic is a decision as whether to route at least a portion of a payload contents 
of an authenticated packet to a layer 2 device or to a layer 3 device, wherein layers 2 
and 3 correspond to particular layers of Open Systems Interconnect (OSI) networking 
model. 

13. (Currently amended) The apparatus of claim 1, wherein said routing 
decision is made by said decision logic without regard to the contents of a payload of 
the authenticated packet. 

14. (Original) The apparatus of claim 1, wherein an authentication ID is 
derived from said security association, and wherein said routing decision is 
constrained based on said authentication ID. 

15. (Currently amended) A method for performing network routing, the 
method comprising th e st e ps of : 

authenticating received packets sent from a source agent to an endpoint of a 
tunnel by determining whether a security association of a received packet corresponds 
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to the source agent that sent the packet, the tunnel being configured by said source 
agent in accordance with a network protocol; 

making a routing decision for an authenticated packet, the routing decision 
being constrained based on the security association of the authenticated packet; 

selecting a routing destination for a packet based at least partially on the 
routing decision; and 

routing the authenticated packet to the selected routing destination. 

16. (Currently amended) The method of claim 15, further comprising the 

st e p of : 

decapsulating the packets, wherein when the packet is decapsulated, contents 
of a payload of the authenticated packet are decapsulated and the security association 
of the packet is preserved. 

17. (Original) The method of claim 15, wherein the network protocol is 
Internet Protocol Security (IPSec) Protocol (IPSEP). 

18. (Original) The method of claim 15, wherein said routing decision is a 
decision to route at least a portion of payload contents of the authenticated packet to a 
layer 3 device, layer 3 corresponding to a particular layer of an Open Systems 
hiterconnect (OSI) networking model. 

19. (Original) The method of claim 18, wherein the layer 3 device is a 

router. 
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20. (Original) The method of claim 15, wherein said routing decision is a 
decision to route at least a portion of payload contents of an authenticated packet to a 
layer 2 device, layer 2 corresponding to a particular layer of an Open Systems 
Interconnect (OSI) networking model. 

21. (Original) The method of claim 20, wherein the layer 2 device is a 

switch. 

22. (Original) The method of claim 21, wherein the switch is comprised by 
a Virtual Local Area Network (VLAN) switch. 

23. (Original) The method of claim 15, wherein the routing decision is a 
decision as to whether to route at least a portion of payload contents of an 
authenticated packet to a layer 2 device or to a layer 3 device, wherein layers 2 and 3 
correspond to particular layers of an Open Systems Literconnect (OSI) networking 
model. 

24. (Original) A computer program for performing network routing in 
accordance with a private network security technique, the computer program being 
embodied on a computer readable medium, the computer program comprising: 

a first code segment, the first code segment authenticating received packets 
sent from a source agent to a tunnel endpoint to determine whether a security 
association of a received packet corresponds to the source agent that sent the packet, 
the tunnel being configured by said source in accordance with a network protocol; 



a second code segment, the second code segment making a routing decision 
for an authenticated packet, the routing decision being constrained based on the 
security association of the authenticated; and 

a third code segment, the third code segment selecting a routing destination for 
the authenticated packet based at least partially on the routing decision made by the 
second code segment. 

25. (Original) The computer program of claim 24, fixrther comprising: 

a fourth code segment that is executed before the second code segment, the 
fourth code segment performing a decryption algorithm that attempts to decrypt the 
authenticated packet prior to the second code segment making a routing decision, 
wherein when the decryption algorithm is successful at decrypting the authenticated 
packet, contents of a payload of the authenticated packet are decrypted and the 
security association of the security association of the decrypted packet is preserved for 
use by the second code segment in making the routing decision. 

26. (New) A method for routing a packet, comprising: 
receiving a packet at a tunnel endpoint; 
authenticating the packet; 

preserving a security association of the packet as an authentication ID; 

making a routing determination for routing contents of the packet by looking 
up the authentication ID in a table to determine a destination IP address to which the 
packet is to be routed. 



27. (New) The method of claim 26, wherein the routing determination is 
made without regard to an intemal destination address contained within a payload of 
the packet. 

28. (New) The method of claim 26, wherein the packet is an Internet 
Protocol Security (IPSec) packet. 

29. (New) The method of claim 26, further comprising routing the packet 
to an IP address found in the table. 

30. (New) The method of claim 26, further comprising broadcasting the 
packet to all IP addresses found in the table that pertain to a given destination. 
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